Sync upstream tag 20260414

.github/workflows/release.yml

@@ -21,11 +21,20 @@ env:
 permissions: {}
 
 jobs:
+  release-gate:
+    name: Release gate
+    runs-on: ubuntu-latest
+    environment: release
+    steps:
+      - run: echo "Release approved"
+
   release:
     name: Release
+    needs: release-gate
     env:
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     runs-on: ubuntu-24.04
+    environment: release
 
     permissions:
       contents: write
@@ -59,32 +68,13 @@ jobs:
           git config --global user.name "$GITHUB_ACTOR"
           git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com"
 
-      # Fetch the commit so that it exists locally.
-      - name: Fetch commit
-        if: ${{ github.event.inputs.dry-run == 'false' }}
-        run: git fetch origin ${GITHUB_EVENT_INPUTS_SHA}
-        env:
-          GITHUB_EVENT_INPUTS_SHA: ${{ github.event.inputs.sha }}
-
-      # Associate the commit with the tag.
-      - name: Create tag
-        if: ${{ github.event.inputs.dry-run == 'false' }}
-        run: git tag ${GITHUB_EVENT_INPUTS_TAG} ${GITHUB_EVENT_INPUTS_SHA}
-        env:
-          GITHUB_EVENT_INPUTS_TAG: ${{ github.event.inputs.tag }}
-          GITHUB_EVENT_INPUTS_SHA: ${{ github.event.inputs.sha }}
-      - name: Push tag
-        if: ${{ github.event.inputs.dry-run == 'false' }}
-        run: git push origin ${GITHUB_EVENT_INPUTS_TAG}
-        env:
-          GITHUB_EVENT_INPUTS_TAG: ${{ github.event.inputs.tag }}
-
-      # Create a GitHub release.
+      # Create a GitHub draft release for the target commit.
       - name: Create GitHub Release
         if: ${{ github.event.inputs.dry-run == 'false' }}
-        run: just release-create ${GITHUB_EVENT_INPUTS_TAG}
+        run: just release-create ${GITHUB_EVENT_INPUTS_TAG} ${GITHUB_EVENT_INPUTS_SHA}
         env:
           GITHUB_EVENT_INPUTS_TAG: ${{ github.event.inputs.tag }}
+          GITHUB_EVENT_INPUTS_SHA: ${{ github.event.inputs.sha }}
 
       # Uploading the relevant artifact to the GitHub release.
       - run: just release-run ${GH_TOKEN} ${GITHUB_EVENT_INPUTS_SHA} ${GITHUB_EVENT_INPUTS_TAG}

CONTRIBUTING.rst

@@ -37,9 +37,10 @@ Releases
 To cut a release, wait for the "MacOS Python build", "Linux Python build", and
 "Windows Python build" GitHub Actions to complete successfully on the target commit.
 
-Then, run the "Release" GitHub Action to create the release, populate the release artifacts (by
-downloading the artifacts from each workflow, and uploading them to the GitHub Release), and promote
-the SHA via the `latest-release` branch.
+Then, run the "Release" GitHub Action to create a draft release for the target commit,
+populate the release artifacts (by downloading the artifacts from each workflow, and uploading
+them to the GitHub Release), publish the release, and promote the SHA via the `latest-release`
+branch.
 
 The "Release" GitHub Action takes, as input, a tag (assumed to be a date in `YYYYMMDD` format) and
 the commit SHA referenced above.
@@ -49,8 +50,8 @@ with the tag `20240419` and the commit SHA `29abc56954fbf5ea812f7fbc3e42d87787d4
 once the "MacOS Python build", "Linux Python build", and "Windows Python build" workflows have
 run to completion on `29abc56`.
 
-When the "Release" workflow is complete, populate the release notes in the GitHub UI and promote
-the pre-release to a full release, again in the GitHub UI.
+When the "Release" workflow is complete, the release will have been published and version metadata
+will have been updated. You can then refine the release notes in the GitHub UI.
 
 At any stage, you can run the "Release" workflow in dry-run mode to avoid uploading artifacts to
 GitHub. Dry-run mode can be executed before or after creating the release itself.

Justfile

@@ -71,28 +71,35 @@ release-set-latest-release tag:
 
   git switch main
 
-# Create a GitHub release object, or reuse an existing prerelease.
-release-create tag:
+# Create a GitHub draft release for the target commit, or reuse an existing draft release.
+release-create tag commit:
   #!/usr/bin/env bash
   set -euo pipefail
-  prerelease_exists=$(gh release view {{tag}} --json isPrerelease -t '{{{{.isPrerelease}}' 2>&1 || true)
-  case "$prerelease_exists" in
+  draft_exists=$(gh release view {{tag}} --json isDraft -t '{{{{.isDraft}}' 2>&1 || true)
+  case "$draft_exists" in
     true)
-      echo "note: updating existing prerelease {{tag}}"
+      echo "note: updating existing draft release {{tag}}"
       ;;
     false)
-      echo "error: release {{tag}} already exists"
+      echo "error: release {{tag}} already exists and is not a draft"
       exit 1
       ;;
     "release not found")
-      gh release create {{tag}} --prerelease --notes TBD --verify-tag
+      gh release create {{tag}} --draft --title {{tag}} --notes TBD --target {{commit}}
       ;;
     *)
-      echo "error: unexpected gh cli output: $prerelease_exists"
+      echo "error: unexpected gh cli output: $draft_exists"
       exit 1
       ;;
   esac
 
+# Publish the draft GitHub release and promote the tag to latest-release.
+release-finalize tag:
+  #!/usr/bin/env bash
+  set -euo pipefail
+  gh release edit {{tag}} --draft=false --latest
+  just release-set-latest-release {{tag}}
+
 # Upload release artifacts to an S3-compatible mirror bucket with the correct release names.
 # AWS credentials are read from the standard AWS_* environment variables.
 # Requires `release-run` to have been run so that dist/SHA256SUMS exists.
@@ -122,7 +129,7 @@ release-run token commit tag:
   just release-download-distributions {{token}} {{commit}}
   datetime=$(ls dist/cpython-3.10.*-x86_64-unknown-linux-gnu-install_only-*.tar.gz  | awk -F- '{print $8}' | awk -F. '{print $1}')
   just release-upload-distributions {{token}} ${datetime} {{tag}}
-  just release-set-latest-release {{tag}}
+  just release-finalize {{tag}}
 
 # Perform a release in dry-run mode.
 release-dry-run token commit tag:

cpython-unix/build-tcl.sh

@@ -67,12 +67,20 @@ rm -rf pkgs/sqlite* pkgs/tdbc*
 pushd unix
 
 CFLAGS="${EXTRA_TARGET_CFLAGS} -fPIC -I${TOOLS_PATH}/deps/include"
-LDFLAGS="${EXTRA_TARGET_CFLAGS} -L${TOOLS_PATH}/deps/lib"
+LDFLAGS="${EXTRA_TARGET_LDFLAGS} -L${TOOLS_PATH}/deps/lib"
 if [[ "${PYBUILD_PLATFORM}" != macos* ]]; then
     LDFLAGS="${LDFLAGS} -Wl,--exclude-libs,ALL"
 fi
 
-CFLAGS="${CFLAGS}" CPPFLAGS="${CFLAGS}" LDFLAGS="${LDFLAGS}" ./configure \
+# Tcl configures and builds packages (itcl, threads, ...) as make targets.
+# These do not pick up environment variables passed to ./configure
+# Export compiler flags to make them available when configuring and building
+# these packages.
+# An alternative is to include these when calling ./configure AND make
+export CFLAGS LDFLAGS
+export CPPFLAGS="${CFLAGS}"
+
+./configure \
     --build="${BUILD_TRIPLE}" \
     --host="${TARGET_TRIPLE}" \
     --prefix=/tools/deps \

cpython-unix/targets.yml

@@ -185,6 +185,9 @@ armv7-unknown-linux-gnueabi:
   host_cxx: /usr/bin/x86_64-linux-gnu-g++
   target_cc: /usr/bin/arm-linux-gnueabi-gcc
   target_cxx: /usr/bin/arm-linux-gnueabi-g++
+  target_ldflags:
+    # Hardening
+    - '-Wl,-z,noexecstack'
   needs:
     - autoconf
     - bdb
@@ -226,6 +229,9 @@ armv7-unknown-linux-gnueabihf:
   host_cxx: /usr/bin/x86_64-linux-gnu-g++
   target_cc: /usr/bin/arm-linux-gnueabihf-gcc
   target_cxx: /usr/bin/arm-linux-gnueabihf-g++
+  target_ldflags:
+    # Hardening
+    - '-Wl,-z,noexecstack'
   needs:
     - autoconf
     - bdb
@@ -266,6 +272,9 @@ loongarch64-unknown-linux-gnu:
   host_cxx: /usr/bin/x86_64-linux-gnu-g++
   target_cc: /usr/bin/loongarch64-linux-gnu-gcc
   target_cxx: /usr/bin/loongarch64-linux-gnu-g++
+  target_ldflags:
+    # Hardening
+    - '-Wl,-z,noexecstack'
   needs:
     - autoconf
     - bdb
@@ -307,6 +316,9 @@ mips-unknown-linux-gnu:
   host_cxx: /usr/bin/x86_64-linux-gnu-g++
   target_cc: /usr/bin/mips-linux-gnu-gcc
   target_cxx: /usr/bin/mips-linux-gnu-g++
+  target_ldflags:
+    # Hardening
+    - '-Wl,-z,noexecstack'
   needs:
     - autoconf
     - bdb
@@ -348,6 +360,9 @@ mipsel-unknown-linux-gnu:
   host_cxx: /usr/bin/x86_64-linux-gnu-g++
   target_cc: /usr/bin/mipsel-linux-gnu-gcc
   target_cxx: /usr/bin/mipsel-linux-gnu-g++
+  target_ldflags:
+    # Hardening
+    - '-Wl,-z,noexecstack'
   needs:
     - autoconf
     - bdb
@@ -389,6 +404,9 @@ ppc64le-unknown-linux-gnu:
   host_cxx: /usr/bin/x86_64-linux-gnu-g++
   target_cc: /usr/bin/powerpc64le-linux-gnu-gcc
   target_cxx: /usr/bin/powerpc64le-linux-gnu-g++
+  target_ldflags:
+    # Hardening
+    - '-Wl,-z,noexecstack'
   needs:
     - autoconf
     - bdb
@@ -430,6 +448,9 @@ riscv64-unknown-linux-gnu:
   host_cxx: /usr/bin/x86_64-linux-gnu-g++
   target_cc: /usr/bin/riscv64-linux-gnu-gcc
   target_cxx: /usr/bin/riscv64-linux-gnu-g++
+  target_ldflags:
+    # Hardening
+    - '-Wl,-z,noexecstack'
   needs:
     - autoconf
     - bdb
@@ -474,6 +495,9 @@ s390x-unknown-linux-gnu:
   target_cflags:
     # set the minimum compatibility level to z10 (released 2008)
     - '-march=z10'
+  target_ldflags:
+    # Hardening
+    - '-Wl,-z,noexecstack'
   needs:
     - autoconf
     - bdb

pythonbuild/disttests/__init__.py

@@ -314,7 +314,7 @@ def test_ssl(self):
         if os.name == "nt" and sys.version_info[0:2] < (3, 11):
             wanted_version = (1, 1, 1, 23, 15)
         else:
-            wanted_version = (3, 5, 0, 5, 0)
+            wanted_version = (3, 5, 0, 6, 0)
 
         self.assertEqual(ssl.OPENSSL_VERSION_INFO, wanted_version)
 
@@ -405,7 +405,7 @@ def assertPythonWorks(path: Path, argv0: Optional[str] = None):
             )
             self.assertEqual(output.strip(), "42")
 
-        with tempfile.TemporaryDirectory(prefix="verify-distribution-") as t:
+        with tempfile.TemporaryDirectory(prefix="disttests-") as t:
             tmpdir = Path(t)
             symlink = tmpdir / "python"
             symlink.symlink_to(sys.executable)